Computer Forensic

Portable Computer Forensic

Technology Open SourceLaboratory

Novizul EvendiC.E.O T'Lab

Theory

Computer forensic

● Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.

● Multiple methods of – Discovering data on computer system– Recovering deleted, encrypted, or damaged file

information– Monitoring live activity– Detecting violations of corporate policy

● Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity

Example Computer forensic

● Recovering thousands of deleted emails

● Performing investigation post employment termination

● Recovering evidence post formatting hard drive

● Performing investigation after multiple users had taken over the system

Who Uses Computer forensic● Criminal Prosecutors

● Rely on evidence obtained from a computer to prosecute suspects and use as evidence

● Civil Litigations● Personal and business data discovered on a

computer can be used in fraud, divorce, harassment, or discrimination cases

● Insurance Companies● Evidence discovered on computer can be

used to mollify costs (fraud, worker’s compensation, arson, etc)

● Private Corporations● Obtained evidence from employee computers

can be used as evidence in harassment, fraud, and embezzlement cases

Who Uses Computer forensic

● Law Enforcement Officials● Rely on computer forensics to backup search

warrants and post-seizure handling● Individual/Private Citizens

● Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment

Step Of Computer Forensic● Acquisition : Physically or remotely obtaining possession of

the computer, all network mappings from the system, and external physical storage devices

● Identification : This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites

● Evaluation : Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court

● Presentation : This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws

Processing Guidelines

● Shut down the computer

● Document the Hardware Configuration of The System

● Transport the Computer System to A Secure Location

● Make Bit Stream Backups of Hard Disks and Floppy Disks

● Mathematically Authenticate Data on All Storage Devices

● Document the System Date and Time

● Make a List of Key Search Words

● Evaluate the Windows Swap File

Processing Guidelines (Cont)

● Evaluate File Slack

● Evaluate Unallocated Space (Erased Files)

● Search Files, File Slack and Unallocated Space for Key Words

● Document File Names, Dates and Times

● Identify File, Program and Storage Anomalies

● Evaluate Program Functionality

● Document Your Findings

● Retain Copies of Software Used

Anti Computer Forensic

● Software that limits and/or corrupts evidence that could be collected by an investigator

● Performs data hiding and distortion● Exploits limitations of known and used forensic

tools● Works both on Windows and LINUX based

systems● In place prior to or post system

acquisition

War Tools








Web : www.tlab.co.idMail : [email protected]

Penutup

Demo

Technology Open SourceLaboratory

/TLabUpdate @TLabUpdate

http://www.tlab.co.id/